Regulation on Card-based Instrument

1 Notice: The translation of the Rule is not of the same legal force as the enacted document in Georgian. The translation has been prepared by the National Bank of Georgia to assist interested parties and serves as a reference tool. You can find the official document in Georgian at the website of the Legislative Herald of Georgia and at the website of the National Bank of Georgia. Order № 155/04 Of the President of the National Bank of Georgia 02/09/2020 City of Tbilisi On Approval of the Regulation on Card-based Instrument On the basis of Paragraph 1(g) of Article 15 and Paragraph 1 of Article 63 of the Organic Law of Georgia on the National Bank of Georgia, Paragraph 1 and 2(a) of Article 42 of the Law of Georgia on Payment Systems and Payment Services and Paragraph 1(b) of the Law of Georgia on Normative Acts, I order: Article 1 The “Regulation on Card-based Instrument” attached shall be approved. Article 2 This Order shall come into force upon its publication. President of the National Bank Koba Gvenetadze

2 Regulation on Card-based Instrument Chapter I. General provisions Article 1. Purpose and scope

1. The scope of the Regulation on card-based instrument (hereinafter - the regulation) is to regulate the relations between the parties involved in issuing of card-based instrument (including the electronic money instrument) in Georgia and in the operations performed by these instruments, to ensure the transparency of the payment service process and to protect customer’s rights, as well as to increase customer confidence with respect to payment instrument and cashless payments.
2. This regulation applies to commercial banks licensed in Georgia, registered microfinance organizations and registered payment service providers (hereinafter – provider).
3. This regulation defines: a) The rule of issuing and servicing of card-based instrument by an issuer; b) The major terms of the agreement between issuer and card-based instrument holder and liabilities and obligations to be taken into consideration in that agreement; c) Rules and conditions of payment services provided by the acquirer. The liabilities of the acquirer toward merchants as well as towards issuer - legal entity created under Georgian legislation; d) Major terms of the agreement between merchants and acquirer and liabilities and obligations to be taken into consideration in this agreement; e) Certain issues of the relationship between the acquirer and the persons (sub-acquirer, marketplace organizer) involved in the card operations;
4. This regulation is applicable in conjunction with the Law of Georgia on Payment Systems and Payment Services and other legal acts governing payment systems and payment services. Article 2. Definitions
5. For the purposes of this Regulation, the terms used in this Regulation have the following meanings: a) Card-Based instrument – payment instrument, including payment card, mobile phone, computer or other technical device that has a payment application and that allows the payer to initiate card operation; b) Payment card (hereinafter – card) – electronic payment instrument category issued by the issuer, through which the payer can initiate card operation; c) Payment application – computer software or its equivalent loaded on a device enabling card-

3 based payment transactions to be initiated and allowing the payer to issue payment orders; d) Personalized card – a card on which cardholder’s name and surname or initials are indicated. In addition, cardholder’s name and surname are recorded on the magnetic stripe and/or microchip of the card; e) Non-personalized card - a card that is not a personalized card; f) Debit card – card-based instrument, which allows its holder to dispose available funds on his/her bank account, on the basis of an agreement concluded with the issuing commercial bank; g) Credit card – a card-based instrument, which, allows its holder to perform operations within the credit line granted by the issuer, except for overdraft, on the basis of the terms of agreement concluded with the issuer; h) Prepaid card – a card-based instrument, through which operations are performed within the limit of preliminarily deposited (nominal amount of electronic money) amount (credit limit is not allowed); i) Virtual card – set of card details (at least card number, validity period and security code) without the physical presence of the card through which the cardholder, by relevant authentication measures, can make payments on the basis of an agreement concluded with the issuer only via internet; j) Commercial card – card-based instrument issued for legal person or entrepreneur natural person, which is used only for business expenses and card operations performed through which are reflected in the accounts of a legal person or of an entrepreneur natural person; k) Entrepreneur natural person – a natural person who carries out its activities in accordance with the Article 36 of the Tax Code of Georgia; l) Cardholder – an identified person who uses the card-based instrument; m) Card purchaser: m.a) natural person, who purchases non-personalized prepaid card for personal use or for handing it over to another natural person for use; m.b) legal entity, which purchases non-personalized prepaid card for handing it to a natural person for use; n) Issuer – provider, that issues card-based instrument through which card based operations can be initiated; o) Card account – card-based instrument holder’s current or demand deposit account in the issuing commercial bank on which operations performed by debit cards are reflected, as well as credit card transactions, if the current or demand deposit account balance for these transactions is replenished from the loan account in addition, customer’s electronic wallet (electronic money account) with the provider, on which operations performed through

4 prepaid cards are reflected; p) Credit card account - an account opened in issuer commercial bank or microfinance organization that reflects credit card transactions. q) Spending Limit – a maximum amount of funds set by the issuer, available for card-based operations within the defined period of time; r) Card payment operation (hereinafter - card operation) – Debit or credit operation performed by card-based instrument, including card credentials, in accordance with card scheme rules, through card infrastructure, on the basis of which amount of the operation is recorded on credit/debit card account /card balance is changed accordingly; s) PIN – the cardholder’s personal, confidential code used as one of the cardholder’s authentication element; t) ATM (Automated Teller Machine) – an electronic software–technical self-service device, through which a cardholder can deposit / withdraw cash; u) POS terminal - an electronic software and/or technical device used to: u.a) Withdraw cash from provider’s office; u.b) Make payment at merchant outlets through card-based instrument, that may include cash withdrawal along with the payment for goods/services (except electronic commerce operations); v) Issuer’s 3D security – service based on 3D Secure protocol through which issuer confirms card-based operation initiated by e-commerce terminal only after authentication of cardholder; w) 3D security of the acquirer – service based on 3D secure protocol through which acquirer of electronic commerce terminal addresses issuer for the additional authentication of the cardholder; x) Electronic commerce terminal – virtual POS terminal (software application) registered in the acquirer’s system through which card operations, as well as cancellation and refund operations, are performed through internet in favor of an electronic commerce merchant; y) Electronic commerce merchant – merchant outlet that sells its goods/services through electronic commerce terminal; z) Marketplace – one of the forms of electronic commerce when different merchant outlets sell their goods/services through one website; z 1 ) Organizer of the marketplace - commercial intermediary that manages marketplace; z 2 ) Merchant – legal person or entrepreneur natural person that has an agreement concluded with acquirer or sub-acquirer on acquiring services; z 3 ) Contactless card-based instrument – card-based instrument that transfers information

5 through contactless technology; z 4 ) Card receipt – document issued by an ATM or POS terminal, which verifies payment for goods / services, cash withdrawal by card-based instrument or execution of other card operation; also reflects the relevant information in case of non-successful execution of the mentioned operations; z 5 ) Acquiring – an activity which ensures payment transaction by electronic-technical means through a payment instrument, internet payment transaction with the details of a payment instrument, cash withdrawal operation through a payment instrument and relevant settlement on the basis of an agreement concluded with merchant or other person (marketplace organizer, sub-acquirer); z 6 ) Acquirer – a provider who carries out acquiring services; z 7 ) Sub-acquiring – an activity performed by a provider that includes concluding agreements with merchants and ensuring settlement with them within the framework of the agreement between this provider and the acquirer; z 8 ) Sub-acquirer – provider who carries out sub-acquiring; z 9 ) Offline operation – operation that is confirmed or denied without connecting the issuer; z 10) Online operation – operation, that is confirmed or denied by issuer or by relevant card scheme on behalf of the issuer; z 11) Card scheme – international card schemes (Visa, MasterCard, UnionPay, American Express etc.) and local card schemes which have a single set of rules, technical standards and implementation guidelines based on which the card transaction is processed, it also includes decision-making body or person accountable for the functioning of the scheme. Card scheme does not include technical infrastructure and payment system that ensures execution of card operation; z 12) Local card scheme – card scheme developed by the provider and/or payment system operator acting in Georgia, according to which card-based operations can be performed only at card accepting devices of the licensed/registered providers in Georgia; z 13) Merchant Category Code or MCC - ISO 18245 standard 4-digit code, that define the type of merchant’s activity; z 14) Merchant fee – fee paid by merchant to the acquirer for execution of card-based operations; z 15) Co-branding – the inclusion at least one payment brand and at least one non-payment brand on the same card-based payment instrument; z 16) Payment brand - any material or digital name, term, sign, symbol or combination thereof, which can be used to identify a payment card scheme through which the card-based payment transactions are carried out;

6 z 17) Co-badging – the inclusion of two or more payment brands or payment applications of the same payment brand on the same card-based payment instrument; z 18) Overrunning - a tacitly accepted overdraft whereby a creditor makes available to a consumer funds which exceed the current balance in the consumer's current account or the agreed overdraft facility. 2. Other definitions used in this regulation have the same meanings as defined in the law of Georgia on “Payment System and Payment Services” and other legislative acts of Georgia. Chapter II. Issuing of card-based instrument Article 3. General obligations of the issuer

1. Commercial bank in Georgia is entitled to issue all kinds of payment cards (debit, credit, prepaid), microfinance organization is entitled to issue credit card whereas, registered payment service provider – prepaid card.
2. In case of issuing card-based instrument of international card scheme, issuer is obliged to submit information to the National Bank of Georgia (hereinafter – National Bank) 30 calendar days before starting the service, which demonstrates that the issuer has relevant resources, qualification and mechanisms for smooth service, as well as managing service related risks.
3. If issuer plans to implement co-branding and co-badging products, it is obliged to submit product (products) description to the National Bank no later than 30 calendar days prior to service implementation.
4. Issuer is obliged to elaborate card-based instrument issuance policy which, depending on the profile of the customer, among other things shall include: handing of card-based product, setting operation limits, restricting certain operations etc. The issuer must provide a list of high-risk merchants (in the context of MCCs) with which cardholder's consent on providing operations must be obtained before the card-based instrument is activated. If the cardholder agreed to conduct operations with high-risk merchant, he must be able to cancel the consent at any time. The issuer is entitled to obtain the cardholder's consent to carry out operations with high-risk merchants directly at its service offices or remotely based on strong customer authentication. The issuer shall periodically review the rules and procedures established under the policies set forth in this paragraph, taking into account the risks realized and expected
5. If issuer is handing card-based instrument or card details to a customer through third party, issuer is obliged to bear all the risks related to sending payment instrument and/or its personalized security credentials and means.
6. Issuer is obliged to: a) Provide rules and recommendations for using card-based instrument to cardholder/card purchaser or indicate publicly available source where the information is placed;

7 b) Inform card-based instrument holder/card purchaser about the importance of complying with the terms of the use of card-based instrument and provide recommendations about the safe use of this instrument; c) Take all possible measures for protection of card-based instrument and for preventing its illegal use; d) Periodically provide the verification of payment instrument holder contact information and take reasonable steps to update the unverified contact information. 7. Issuer shall have the chargeback procedures. The issuer is obliged to process the card-based instrument holder complaint related to the transaction performed no later than 20 working days after the submission of the complaint. If, due to reasons beyond provider’s control, it is not possible to review complaint and take decision within mentioned timeframe, the issuer is obliged to inform card-based instrument holder about substantiated reason for the delay and the period of the consideration and taking decision. The Timeframe for making a decision on the claim and notifying the card instrument holder should not exceed 55 working days after receiving the complaint. 8. During dispute resolution period of card transaction performed inside the Georgia, issuer is obliged to contact acquirer or other party involved in the operation in order to receive the information about performed operation, unless all details and circumstances of the disputed transaction are known to the issuer. 9. The Issuer is also liable to the card-based instrument holder if: a) As a result of non-compliance with security procedures by the issuer or its outsourcing company, information related to card-based instrument became available to third party; b) As a result of program/technical deficiencies card-based instrument holder incurred actual loss. Article 4. Card-based instrument service agreement conditions

1. Issuer is obliged to conclude an agreement with card-based instrument holder on service of card-based instrument that, in conjunction with other requirements of Georgian legislation shall include the following: a) Name of card-based instrument, card scheme and card type; b) The Rule of use of card-based instrument, among them accessories (sticker, bracelet, watch etc.) with card functionality and of payment application, security conditions, restrictions, all possible commission fees and principles of its calculation; c) Security requirements of card-based instrument (among them, accessories, payment application). Also, all risks associated with certain type of card (among them, risks associated with payment application, contactless card/card-based instrument and use of accessories

8 equipped with card functionality); d) Rights and obligations of the parties, including the issuer's obligations and responsibilities upon receipt of information from the cardholder on lost/theft of the card instrument / card data, mobile phone, accessory, or on unauthorized transaction (including the obligations of payment service provider stipulated in the Law of Georgia on Payment Systems and Payment Services) e) In case of receiving information about loss or theft of card-based instrument/card data, mobile phone or accessory, or in case of unauthorized operation the actions that shall be taken by card-base instrument holder (including the obligations of payment service user stipulated in the Law of Georgia on Payment Systems and Payment Services); f) The nature/characteristics or possible outcome of all transactions performed by the card￾based instrument established by the card scheme (online, offline, automatically recurring (Recurrent), overspending, etc.) and the liability and responsibility of the card-based instrument holder and provider in the context of these transactions; g) Information on the timeframe of reflecting card-based operation on cardholder account. Also, the terms of the conversion, which include information on the source and date of currency exchange rate used in accordance with Article 6, point 8 of this Regulation; h) Card operation chargeback deadlines and the list of accompanying information to be submitted; i) Chargeback procedures and timeframes; j) In case of exceptional and objective circumstances, obligation to inform the card-based instrument holder about the extension of period of chargeback process; k) Conditions for providing information and/or account statement on the performed operations; l) Terms stipulated by the President of the National Bank of Georgia Order 1/04 of January 6, 2016 “The Rule on Provision of Essential Information to the Payment Service Users During Providing the Payment Service” 2. In case of card-based instrument specified in paragraph 1 of Article 7 of this Regulation, instead of concluding an agreement specified in paragraph 1 the issuer shall provide the instrument user only with the terms and conditions of use of the card-based instrument or indicate a publicly available source where the mentioned information is posted. Article 5. Card details At least, the following information shall be recorded on the card (except the cards issued for at least 10 GEL payments (hereinafter-micro payment) and virtual cards): a) Name (or initial of name) and surname (except for non-personalized card) of the card holder

9 (including additional card); b) Card validity period; c) A name of the card scheme/payment brand or name of issuer or/and their logotypes; d) The place of cardholder’s signature (except for chip cards); e) Issuer’s hotline number. Article 6. Disposal of card accounts

1. Disposal of the funds on the same card account/credit limit of credit card can be managed through various card-based instrument (with the additional card/card-based instrument).
2. Issuer can permit overdraft on debit card within predefined amount.
3. The actual date of executing card payment may differ from the date of its reflection on the card accounts/credit card accounts.
4. A person, identified as a card-based instrument holder with the issuer, shall be responsible for operations executed by card-based instrument, except non-authorized or incorrectly executed transactions.
5. For the purpose of performing operations by debit cards/card-based instrument, funds on cardholder’s other current or/and demand deposit accounts in the same commercial bank may be used upon agreement with the card account holder. Priorities of using funds on accounts shall be determined by the card account holder. If this is technically impossible, provider is obliged to determine the most favorable sequence for the customer.
6. If it is possible to use funds of different currencies with card-based instrument, the card transactions first of all should be reflected on the account in the currency in which the transaction was executed. If the cardholder does not have the funds in transaction currency on the relevant card account/credit card account and this transaction was settled by the card scheme, transaction should be reflected on card scheme settlement currency account.
7. In the absence of currencies account / credit card account specified in paragraph 6 of this Article or in the absence of transaction full amount in these currencies, the issuer is entitled to convert funds from the currency on the relevant card account / credit card account. In this case, the conversion should be made only to replenish the transaction amount in full.
8. If the card transaction is related to conversion, the issuer shall ensure for the cardholder transparency of the terms of the conversion from the transaction initiation to its reflection on the account. In order to make the conversion process transparent, the issuer should develop and make available to the user a scheme showing the chain of possible conversions of the amount of the transaction initiated in different currencies with reference to the sources of the respective exchange rates.
9. Following the activation of card-based instrument the issuer:

10 a) Is obliged to make the funds deposited on the relevant account available to card-based instrument holder/card purchaser under the conditions specified for the instrument, unless otherwise provided by the legislation of Georgia; b) Is obliged to provide information on card transactions and account balance upon the request of card-based instrument holder, except additional card holder (in case of prepaid card issued to a non-identified/non-verified person - the presenter of this card) 10. The cardholder statement or other records available to the customer about the operations performed with card-based instrument should contain the following basic information: a) Card-based instrument holder account number and / or incomplete card number; b) Currency; c) The balance at the beginning of the extract period; d) The amount of the executed transaction (debit / credit); e) Date, time and place of transaction (in case of ATM - address); f) Merchant name and MCC; g) The balance at the end of the extract period; h) The conversion rate/rates (card scheme rate and / or bank rate) if this transaction was related to conversion/conversions. Article 7. E-money card-based Instrument

1. The provider is authorized, after agreement with the National Bank, to issue prepaid card/card-based instrument to non-identified/non-verified natural person, if this instrument meets the following criteria: a) Instrument can only be used for the payment of goods or services; b) At any given time, it is impossible to store e-money on this instrument, the amount of which exceeds 500 GEL or its equivalent in foreign currency; c) The total amount of the funds permitted to be transferred by the instrument during a month does not exceed 500 GEL, if the instrument is only used in Georgia or electronic money can be deposited/transferred on the instrument only once; d) It is not allowed to transfer anonymous e-money on the instrument; e) The issuer of the instrument monitors business relations to detect suspicious deal.
2. In agreement with the National Bank, the limit specified in sub-paragraph ”b” of the paragraph 1 of this Article may be increased to 1500 GEL if the instrument can only be used in Georgia.
3. The exception specified in paragraph 1 of this Article shall not apply to an e-money

11 instrument which allows cash withdrawal or refund money, the total amount of which exceeds 150 GEL or its equivalent in foreign currency. 4. The issuer is entitled to issue such a non-personalized prepaid card which is intended to transfer to the other natural person by the purchaser of the card. This card must meet the requirements of paragraphs 1 and 3 of this article. Article 8. Other obligations of the issuer

1. The provider is obliged to protect the confidentiality of information related to cardholder in accordance with the legislation.
2. Card-based instrument holder, as well as the additional card holder identification/verification procedures, as well as monitoring of card transactions should be provided according to the requirements of the Law of Georgia on the Facilitation of Money Laundering and Terrorist Financing and the legal acts issued by the Financial Monitoring Service of Georgia and the National Bank.
3. The provider is obliged to record and keep all information on all types of issued card-based instrument holders as well as on transactions executed by these instruments in compliance with the timeframes foreseen by the legislation.
4. At any time given it shall be feasible to obtain the information on identification details of card-based instrument holders stored in compliance with the timeframes defined by the legislation, as well as on operations executed by the specific card-based instrument or/and its holder. Article 9. Blocking card-based instrument
5. In the event that the loss, theft, misappropriation of card-based instrument/card details, mobile, accessory or execution of unauthorized operation through it is detected, the provider is obliged to ensure the possibility of receiving information at any time directly from the cardholder or through outsourcing company.
6. In the event that the loss, theft, misappropriation of card-based instrument/card details, mobile, accessory or execution of unauthorized operation through it is detected, the cardholder is obliged to notify the issuer or person appointed by the issuer about the occurrence without undue delay. While the issuer is obliged to immediately, prevent any use of the card upon receiving the notification.
7. Provider is entitled to immediately prevent or temporarily block (suspend) the future use of card-based instrument if provider has a reasonable suspicion that unauthorized operations may be executed by card-based instrument. In such case, provider is obliged to inform the card-based instrument holder immediately.

12 Chapter III. Acquiring Article 10. Activity of acquirer

1. Acquirer and sub-acquirer are entitled to provide service to the merchant against to which took the appropriate measures defined by the Law of Georgia on “Prevention of Money Laundering and Terrorist Financing” and legal acts issued by the Financial Monitoring Service of Georgia and the National Bank and received reliable information about merchant activities.
2. Acquirer is entitled to serve to merchant through another payment service provider (sub￾acquirer) if the latter represents the licensed commercial bank or registered payment service provider at the National Bank. In addition, the acquirer is obliged: a) To open an account to sub-acquirer with him and transfer appropriate amount of acquiring service on that account, from which sub-acquirer will transfer it directly to the merchant accounts. If the account is opened with another commercial bank, the acquirer must make sure that the commercial bank is informed of the purpose of using this account by the sub￾acquirer; b) Should be convinced with the adequacy of sub-acquirer money laundering and anti￾terrorism financing prevention policies; c) Through risk-based approach implement measures against merchants with higher risks of money laundering/terrorism financing in accordance with the Law of Georgia on Facilitation of Prevention of Money Laundering and Terrorist Financing and legal acts issued by the Financial Monitoring Service of Georgia and the National Bank and receive reliable information about merchant activities.
3. Before concluding or renewing the contract with the merchant, acquirer/sub-acquirer is obliged to make sure that this person is engaged in legal activities and have sufficient means to protect card-based instrument and card transaction data.
4. Acquirer is obliged to assign relevant MCC with respect to the activity of merchant outlet.
5. When providing service to marketplace, acquirer is obliged: a) For each merchant outlet carry out the measures envisaged by the Law of Georgia on the Prevention of Money Laundering and Terrorist Financing and the legal acts issued by the Financial Monitoring Service of Georgia and the National Bank on its basis and adopt credible Information about the activity of each merchant; b) Manage dispute operations on behalf of each merchant; c) Transfer funds directly to the account of merchants without transferring money to the account of the marketplace or transfer the corresponding amount of the acquiring service to the account opened with him or another commercial bank, from which the marketplace will transfer money directly to the merchant account; If the marketplace account is opened with

13 another commercial bank, then the acquirer must make sure that the commercial bank is informed of the purpose of using this account by the marketplace and also ensure the periodic request of marketplace relevant account balances and verify payment transactions to merchant accounts compliance with its own system records; d) To ensure conclusion of agreement with merchants according to Article 12 of this Regulation directly or through marketplace. 6. The acquirer is authorized to provide acquiring services to a merchant or its branch/representation established under foreign legislation, to marketplace established under foreign legislation or to marketplace that provides service to merchant established under foreign legislation or its branch/representation if it has an adequate mechanisms to meet the requirements stipulated in the Law of Georgia on Facilitation of Prevention of Money Laundering and Terrorist Financing and legal acts issued by the Financial Monitoring Service of Georgia and the National Bank. A description of above-mentioned mechanisms must be submitted to the National Bank at least 30 calendar days before the start of the service. 7. Sub-acquirer, who plans to introduce sub-acquiring service to merchant established under foreign legislation, is obliged to submit documentation to the National Bank no later than 30 days before starting the service, thus confirming the existence of adequate mechanisms at its disposal to comply with the requirements stipulated by the Law of Georgia on Facilitation of Prevention of Money Laundering and Terrorist Financing and legal acts issued by the Financial Monitoring Service of Georgia and the National Bank. 8. The Acquirer and sub-acquirer shall make sure that merchant offers/sells goods/services through its own website or through a website of marketplace they serve. In addition, acquirer or/and sub-acquirer shall make sure and monitor that merchant is actually selling those goods/services that are stipulated in the agreement signed with acquirer, sub-acquirer or/and marketplace. However, upon monitoring the merchant transactions acquirer and sub-acquirer shall make sure that actual beneficiary of the funds deposited on merchant account on the basis of the acquiring agreement is the merchant that is in contractual relationship with acquirer/sub-acquirer/marketplace. 9. The acquirer is entitled to provide the acquiring service to the merchant established under Georgian legislation without opening an account. In such case, acquirer must ensure that the funds due to the merchant credited to the current account of this merchant opened in the commercial bank registered in Georgia or to merchant treasury code at State Treasury of the Ministry of Finance. The acquirer shall transfer the mentioned amount no later than the next banking day after receiving respective funds on acquirer’s account, unless the operation of the merchant was considered suspicious. In case of the service described in this paragraph, acquirer is obliged to submit to the National Bank the description of the respective service no later than 30 calendar days before starting the service. 10. Acquirer/sub-acquirer must have effective monitoring systems for the operations performed at its merchant outlets (among them, e-commerce merchants) in order to detect

14 fraudulent operations/devices/software. Acquirer shall ensure constant updates of monitoring system in such a way that it is possible to identify and prevent fraudulent schemes established in international or/and local practice until current period. The acquirer should periodically provide training of staff working with monitoring programs. 11. The acquirer shall have permissions from the relevant card schemes in order to carry out the activity. 12. The Acquirer who stores or transmits card data issued by another provider through its infrastructure is obliged to perform independent and unbiased audit of such infrastructure/information systems once in 2 (two) years. The audit of information system and technologies shall be performed by a widely recognized audit company to ensure compliance with Payment Card Industry Data Security Standards. 13. The acquirer shall be liable to the issuer, if: a) As a result of the failure of merchant security procedures, card-related data became available to the third party; b) Due to its ATM or POS terminal malfunctions or other software-technical deficiencies, the cardholder has suffered an actual loss from card operation; c) Due to the lack of e-commerce terminal monitoring systems or/and lack of adequate monitoring system, acquirer could not detect and prevent merchant unusual transactions. 14. Acquirer is obliged to provide all necessary information and means to merchant for receiving payments by card-based instruments, train respective staff of merchant, periodically conduct their trainings and train new staff. 15. The acquirer is obliged to process the complaint submitted by the issuer about unauthorized operations. The deadline to review a complaint about the operations performed inside Georgia by card-based instrument issued in Georgia shall not exceed 15 working days. This timeframe may be extended by agreement with the issuer in exceptional and objective circumstances, for a maximum of 25 working days. 16. In case of disputed transaction, the acquirer is obliged to investigate the reason of occurred incident or/and unauthorized operation at its merchant outlet or ATM. It has to bear the burden to prove to the issuer that the incident or/and unauthorized operation that the incident/unauthorized transaction was not caused by the reason of its devices or merchants. 17. E-commerce acquirer shall ensure that payments from the website of e-commerce merchant are made based on strong customer authentication or the use of a one-time code in accordance with the "Strong Customer Authentication Rule" approved by the President of the National Bank of Georgia; 18. Executing offline transaction is forbidden when purchasing goods/services at e-commerce merchant. 19. The acquirer is entitled to offer the customer to perform operations such as receiving

15 information about the account balance, initiating payments, etc. with the ATM in its service. The acquirer is also entitled to offer the customer card-to-card money transfer service (P2P transactions). 20. If acquirer plans to implement cash withdrawal service together with paying for goods/services by POS terminal at merchant outlet, it is obliged to submit the description of the service no later than 30 calendar days before starting the service to the National Bank of Georgia. It is forbidden to perform only cash withdrawal operations from POS terminals located at merchant outlets. Article 11. Information to be provided to the payer and merchant by the acquirer

1. The acquirer shall ensure, that in the process of initiating of ATM or POS operation (including e-commerce operation) the information about operation amount and currency is shown on the screen to the payer;
2. If acquirer offers currency exchange service to the payer, then it must provide the payer with the information about all kind of currency exchange rates and commissions related to this service before initiating card operation in ATM or POS terminal located at merchant outlet (including e-commerce merchant outlets);
3. The acquirer is obliged to make the following information for merchant about each card operation executed: a) A unique code of transaction that will enable the merchant to identify the card transaction; b) The amount and currency of the card operation to be deposited on merchant account.
4. In case of preliminary agreement (contract) between acquirer and merchant, the information stipulated in paragraph 3 of this Article may be made available to the merchant periodically, at least once a month in such a way, that the merchant can store and multiply it without changing. Article 12. Basic conditions of the agreement concluded with the merchant
5. The acquirer is obliged to sign an agreement with each merchant outlet directly or through other provider (sub-acquirer), which, together with the mandatory requirements provided under the Georgian legislation, shall include the following information: a) Name and field of activity of the merchant; b) Type of service and its description (physical POS terminal, e-commerce terminal, self-service kiosk etc.) c) Rules for accepting card-based instrument as a means of payment; d) Limits set for the execution of the operations (if any), except the limits arising from acquirers

16 risk management policies; e) Obligations of the merchant regarding the protection of card operation security measures; f) Obligation of the merchant to make visible the operation amount to the payer through the screen of POS terminal or other screen integrated with POS terminal, while in case of e￾commerce – through computer, telephone, Pad or screen of another device prior to card operation. g) Procedures to be performed by merchant in the event of suspicious operations, including: g.a) Attempt to execute operation with the card that expired, blocked or does not have standard requisites; g.b) Missing the signature of the cardholder on the card, in case of signature strip on the card; g.c) When executing the operation with magnetic stripe, discrepancy between the signature on the card and the signature on the operation receipt; h) Commission to be paid by the merchant and the principle of its calculation; i) The period of the crediting the amount to the merchant account from the day of executing card operation, which should not be more than the second working days after receiving the relevant amount by the acquirer/sub-acquirer, unless the transaction of the object was considered suspicious by the acquirer/sub-acquirer; j) Grounds for refusal to perform a card operation by merchant; k) Obligations of merchant and acquirer related to improperly executed card operation, refunds and disputes; l) Obligations of acquirer in relation to the merchant in accordance to Articles 10-11, of this Regulation. 2. The acquirer is obliged to periodically check the merchant obligations compliance with the provisions of the agreement. In case, when merchant systematically violates obligations stipulated in the agreement, acquirer is obliged to consider termination of providing service to this outlet. 3. The acquirer shall ensure the access of merchant to the operations executed in its favor, in such a way that it enables merchant to calculate the commission he has to pay and compare/verify information about operations with those operations recorded in its internal system. 4. If acquirer is providing merchant service through marketplace, it is obliged to conclude a bilateral service agreement with merchant directly or trilateral service agreement with marketplace and merchants. In both cases, concluded agreement shall meet the requirements of paragraph 1 of this Article.

17 Article 13. Card receipt

1. Card receipt (including electronic) confirming the operation executed by card-based instrument at physical POS Terminal (except e-commerce terminal) shall include the following details: a) Merchant legal name/trade or brand name and address where the operation (indication of telephone number is recommended) was executed; b) Name of provider (acquirer); c) Date and time of executing the operation; d) Terminal identifier (ID); e) Amount and currency of executed operation (if cash withdrawal was also executed together with purchasing goods/service, those amount should be indicated separately); f) Card operation confirmation code; g) Card details (incomplete number of the card or relevant card token); h) Signature of the cardholder (signature of the cardholder is not mandatory, if payment operation is executed with the use of PIN code or contactless technology and the amount does not exceed the upper limit of the amount specified by the Article 13, paragraphs “a” and “b” of Strong Customer Authentication Rule approved by the President of the National Bank of Georgia Decree №156/04, September 2, 2020).
2. Requirements stipulated in paragraph 1 of this article does not apply to POS terminals where only micro payments (10 GEL) can be executed.
3. The card receipt issued by the ATM after executing card operation shall contain the following information: a) ATM holder (acquirer’s) name; b) Date and time of the operation; c) Identifier (ID) and address of ATM; d) Amount and currency of executed operation; e) Card operation confirmation code; f) Card details (incomplete number of the card or relevant token)
4. Electronic receipt issued as a result of e-commerce operation shall contain the following information: a) Name and address of e-commerce merchant (city, country); b) Name of the provider (acquirer); c) Date and time of the operation;

18 d) Website address of e-commerce merchant; e) Amount and currency of operation; f) Confirmation code of card operation; g) Card details (incomplete number of the card or relevant token). Article 14. Authority of National Bank The National Bank is entitled to request additional information and/or documentation from the provider according to article 3 paragraphs 2-3 and article 10 paragraphs 6, 7, 9 and 20 of this regulation and to determine deadline for submitting this information/documentation. Chapter IV. Transitional Provisions Article 15. Transitional provisions

1. By April 1, 2021, the issuer is obliged to comply with the requirements related to the possibility of limiting the card instrument in the merchant outlets specified in paragraph 4 of Article 3 of this Regulation.
2. By October 1, 2020, the issuer is obliged to develop the procedure specified in paragraph 7 Article 3 of this Regulation.
3. By December 1, 2020, the issuer is obliged to ensure compliance of the agreements concluded with the card-based instrument holders with the requirements set in the first paragraph of Article 4 of this Regulation.
4. The issuer is obliged, in case of introduction of the services provided for in Article 6, Paragraph 5 of this Regulation, to ensure compliance with the requirements related to the sequence of use of funds on the accounts established in Article 6, Paragraph 5 of this Regulation from November 1, 2020.
5. From November 1, 2020, the issuer shall ensure compliance with paragraphs 6-8 of Article 6 of this Regulation.
6. By November 1, 2020, the acquirer is obliged to submit to the National Bank the information on the services introduced before the entry into force of this Regulation, as defined in paragraph 9 of Article 10 of this Regulation.
7. From April 1, 2021, the acquirer is obliged to provide the information provided in paragraph 3 of the Article 11 of this Regulation to the merchants.
8. By June 1, 2021, the acquirer is obliged to provide compliance of merchants’ agreement (including merchant agreements signed through marketplaces in accordance with paragraph 4 of Article 12 of this Regulation) already concluded in electronic form, with the requirements set forth in the first paragraph of Article 12 of this Regulation. If the acquirer, as a result of the

19 measures taken in accordance with the first paragraph of Article 10 of this Regulation, has received reliable information about the activities of the merchant, the requirements on the defining the sphere of merchant activity in the agreement, set in sub-paragraph “a” of paragraph 1 of Article 12 of this Regulation shall not apply to the already concluded agreements. 8 1 . By September 1, 2021, the acquirer is obliged to provide compliance of merchants’ agreement (including merchant agreements signed through marketplaces in accordance with paragraph 4 of Article 12 of this Regulation) already concluded in material form with the requirements set out in the first paragraph of Article 12 of this Regulation. If the acquirer, as a result of the measures taken in accordance with the first paragraph of Article 10 of this Regulation, has received reliable information about the activities of the merchant the requirements on the defining the sphere of merchant activity in the agreement, set in sub￾paragraph “a” of paragraph 1 of Article 12 of this Regulation shall not apply to the already concluded agreements. The acquirer is obliged to inform the merchant by the means at its disposal in advance, by June 1, 2021 about the changes in the agreement. 9. From April 1, 2021, the acquirer is obliged to ensure compliance with the requirements set in Article 12 paragraph 3 of this Regulation. 10. The issuer and the acquirer are obliged to comply with the requirements related to the period of chargeback resolution specified in Article 3 paragraph 7 and Article 10 paragraph 15 of this Regulation from 1 October 2020.